I was tempted to squeeze some sort of reply into less than 140 characters, but decided to answer here instead.

First, vulnerability research is not free. Funny enough the No More Free Bugs movement is about one year old now. Charlie, Dino, and Alex are right -- it costs real resources to find vulnerabilities in software, with the level depending on the target.

Second, exploit development is not free. It is not trivial to devise a reliable, multi-target, stealthy-if-necessary exploit for a discovered vulnerability. Projects like Metasploit have made it a little easier since the days of one-off code for every proof of concept. Still, professional exploit writers still spend a lot of time on Metasploit, commercial alternatives, or their own mechanisms.

Third, victim management is not free. Everyone likes to talk about "risk management." Let's flip that notion around and think from the intruder's perspective. One of the features separating amateurs from professionals is the degree to which the intruder can manage his or her presence in the victim enterprise. The greater the persistence of the intruder the more professional the intruder, almost by definition. It takes a decent amount of work to stay present and/or undetected in an enterprise, depending on the defender's capabilities.

So, black hats have a lot of costs to manage, beyond those in my original post. I can pretty confidently argue, however, that intruder costs are dwarfed by defender costs. To the extent that "defense in depth" (DiD) applies additional costs yet do not meaningfully reduce exposure and vulnerability, DiD does indeed "exacerbate the value cost inequity for defenders."

Aside: a quick way to identify ineffective DiD is to review network diagrams showing "firewall stacks." I mean, seriously, in 2010, who needs more than one "traditional" firewall on a network segment? 10 or more years ago I remember network security people thinking you needed multiple different firewalls to they would each "catch something different" or cover for errors. These days everyone lets 80 and 443 traverse the firewall so malicious traffic just uses those services. How much money is wasted on these "traditional" designs?

You raise a fair point in regards to firewalls - especially given the plethora of user driven attacks. However, lets say the attack has an exploit for something in the DMZ. The attacker exploits a remote service. If you follow traditional design, the DMZ won't allow a callback (EGRESS filtering - the dmz should initiate limited outbound connections). Now the attacker has to initiate an inbound connection, but only used ports are allowed through the firewall. Generally that means you have to kill a service. If that happens the admins will often notice the downtime quickly. Thus your job as an attacker is much more difficult.

There are of course other ways of getting a connection back, but the attacker would have to deliver a more complex initial payload, which can be very difficult.

Therefore, I'm not sure the money is wasted by traditional design. I'll admit that the vast majority of attacks now attack end users, but I believe that is an effect from the traditional firewall design being effective and attack patterns shifting. To quote Patton, "Fixed fortifications are monuments to man's stupidity.” I think the appropriate move is to move beyond only traditional design not because of it's failure, but because the attack has shifted.

Although all those things are not free, I believe that the costs are in most cases going down, due to an increase in supply. It would be interesting to see a time adjusted graph of the cost of a common zero day over the last few years. I think the largest cost for the intruder continues to be post intrusion aspect... how to get the money out, or the time and resources it take to analyze and achieve results with stolen data. That being said, it is a replacement cost, you would have to be earning money or researching a technology anyway... but still a cost.